[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: distributed directories

To: openldap-software@OpenLDAP.org
Subject: Re: distributed directories
From: "Medievalist" <ldap@HBCS.Org>
Date: Wed, 14 Apr 2004 13:13:58 -0500
Content-description: Mail message body
In-reply-to: <OF1217111C.2E26D97B-ONC1256E76.002FDD9E-C1256E76.0031E96C@t-mobile.at>

There actually are ways to store (at least parts of) your LDAP configuration in 
LDAP.  I do it for my HP-UX hosts.  See

http://www.ietf.org/internet-drafts/draft-joslin-config-schema-07.txt

I maintain the configurations for our replicas with ssh, rsync, gawk, and sed.  
When a sysadmin brings up a new server they use sed on a standard template file 
to create the new slapd.conf for the local replica.

When I updated from samba 2.2 to samba 3.0 schema I generated the new 
slapd.conf files on all the replicas with these two commands (line breaks in 
the first command were added by my mail client) :

# grep replica /etc/openldap/slapd.conf
|gawk -F\: '/^[^#]/{print $1}'
|gawk -F\= '{printf "ssh -2 -i/root/.ssh/id_dsa.ldapsync %s sed 
%cs/rid/sambaSID/g\\;s/ntPassword/sambaNTPassword/g\\;s/lmPassword/sambaLMpasswo
rd/g%c \\\</etc/openldap/slapd.conf \\\>slapd.conf.new\n", $2, 39, 39}' 
>bush_in_the_skull

# bash bush_in_the_skull

As always with *nix pipelines, you have to be careful with the escapes.... I'm 
sure this could be done cleaner, but I just yanked this out of my history file, 
it's what actually worked.

--Charlie


On 14 Apr 2004 at 11:05, denis.havlik@t-mobile.at wrote:
>
> >> A) How do ACLs work in such a setup? I can imagine that one may get
> >> better  performance if ACLs are determined on the caching server:
> 
> >In general it is not a good idea, but it can be based on the trust you 
> can
> >put on the caching servers.  In the scenario you're drawing it appears
> 
> In fact, this whole bussines with ACLs has been bothering me since the 
> beginning. Everything else in openLDAP scales quite nicely, but ACLs (and 
> other things, like "limit" statements & ssl certs) have to be entered 
> again and again on every server. It's exactly the administrators nightmare 
> situation we are trying to avoid in the first place. :-(
> 
> Automatically updating part of the slapd configuration file on slave 
> servers at server start (btw, can slapd re-load the configuration without 
> restart?) sounds like a good idea. I can think of two ways to do it:
> 
> 1) classical way, with scp/rsync or such. That's simple to do, but why do 
> we have an LDAP server for?
> 2) Store the ACLs data for slaves in LDAP, and read them from the master 
> server when needed. Anyone went this way?
> 
> One step further would be to "read the slapd configuration from master 
> LDAP server". I presume this is an old idea - what was the result of 
> discussions so far?
> 
> regards
>         Denis
>

Follow-Ups:
- Re: distributed directories
  - From: Donn Cave <donn@u.washington.edu>

References:
- Antwort: Re: distributed directories [Virus checked]
  - From: denis.havlik@t-mobile.at

Prev by Date: Re: Antwort: MAC OS X clients and OpenLDAP [Virus checked]
Next by Date: RE: Multi Master
Index(es):
- Chronological
- Thread